North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: large organization nameservers sending icmp packets to dns servers.

  • From: Valdis . Kletnieks
  • Date: Fri Aug 10 11:24:37 2007

On Thu, 09 Aug 2007 22:58:40 -0000, Paul Vixie said:

> > How does the (eventual) deployment of DNSSEC change these numbers?
> 
> DNSSEC cannot be signalled except in EDNS.

Right. Elsewhere in this thread, somebody discussed ugly patches to keep
the packet size under 512.  I dread to think how many different ways of
"protecting" DNS are deployed that will break EDNS, and just haven't been
noticed because there's little enough *actual* EDNS breakage that it's down
in the noise of *other* "random voodoo" breakage at those sites.

> > And who's likely to feel *that* pain first?
> 
> the DNSSEC design seems to distribute pain very fairly.

I actually meant "which 800 pound gorilla is going to try this first and
find all the bustifications", but your answer is good too.. :)

Attachment: pgp00013.pgp
Description: PGP signature